I currently use Backblaze for online backup. I am thinking of switching to just storing all my documents on my iCloud drive.

With Backblaze, you can set an encryption key. Without this key no one can access your data - not even Backblaze.

I know by default, iCloud does not do this. But is there a 'set-it-and-forget-it` workaround to have files encrypted before they are uploaded?

I don't have anything sensitive in my files. But after all the stories one hears in the media, I would be reluctant to put my files in a place where a rogue Apple employee (or contractor) can just open them up.

2 Answers
2

If you want set-it-forget-it like BackBlaze, then iCloud is not for you. Your data is safe from a rogue Apple employee, but not safe from a government agency or someone with a legal ability to extract it. When Apple can help you regain access to your iCloud files if you forget your password then they can help a government agency to do that too.

But if you create your own password-encrypted disk image (.sparsebundle file using Disk Utility and encryption in the Finder) then the password is known only to you, and is only stored in RAM on your machine while your disk image is open and mounted; it is destroyed when you unmount and close the encrypted disk image. You can keep copies of that encrypted disk image on your machine or in a cloud service.

If you never store that password in the Keychain iCloud or localitems keychain files, then it will never be uploaded to iCloud. If you store that password in a local-only Keychain file then it is secure but would not necessarily be proof against seizure of your hardware or a malicious remote control.

Regardless of how well you protect the password to your encrypted disk image, you might be forced to decrypt it whilst under arrest. If you 'forget' it, then that may be used against you in court. If you truly forget it, then your data is completely deleted and unrecoverable.

iCloud secures your data by encrypting it when it's sent over the Internet, storing it in an encrypted format when kept on server (review the table below for detail), and using secure tokens for authentication. This means that your data is protected from unauthorized access both while it is being transmitted to your devices and when it is stored in the cloud. iCloud uses a minimum of 128-bit AES encryption—the same level of security employed by major financial institutions—and never provides encryption keys to any third parties.

When you access iCloud services using Apple’s built-in apps (for example, Mail, Contacts, and Calendar apps on iOS or OS X), authentication is handled using a secure token. Using secure tokens eliminates the need to store your iCloud password on devices and computers. Even if you choose to use a third-party application to access your iCloud data, your username and password are sent over an encrypted SSL connection.

And regarding the privacy:

Apple has a company-wide commitment to your privacy. Our Privacy Policy covers how we collect, use, disclose, transfer and store your information.
In addition to adhering to the Apple Privacy Policy, Apple designs iCloud features with your privacy in mind. For example:

Nothing that you wrote suggests the data might be encrypted with a key that doesn't leave the device. I don't understand why this has been upvoted, it seems like a non-answer to me.
– AndreKRDec 8 '15 at 15:38

2

-1. This is completely misleading. Yes, an Apple employee could access the files. In fact that's how many government requests for SMS/iMessage data are fulfilled—iCloud backups of a device involved. If you can "forget" your password, your data is not safely encrypted (FileVault works around this by giving a recovery key, but you need at least one of the two to decrypt it).
– 0942v8653Dec 8 '15 at 15:39

2

Encrypted in transit - yes. Encrypted at rest - with Apple holding the key. That is not encryption with big_smile holding the key. I have also -1.
– GilbyDec 8 '15 at 22:34